On new hardware, the Windows 8 secure boot feature will prevent the booting of …

Share this story

PC users who run Windows and Linux on the same machine will want to do some research before purchasing a Windows 8 computer. That's because systems with a "Designed for Windows 8" logo must ship with UEFI secure booting enabled—a move that prevents booting operating systems that aren’t signed by a trusted Certificate Authority.

This could pose a problem for Linux users, though in practice most can just change UEFI settings to disable secure boot before installing the open-source OS. But users will have to depend on hardware vendors to make this option possible in the first place.

Disabling secure boot

“Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled,” Red Hat developer Matthew Garrett writes on his blog in reference to a recent presentation by Microsoft program manager Arie van der Hoeven. The Microsoft exec notes that UEFI and secure boot are “required for Windows 8 client” with the result that “all firmware and software in the boot process must be signed by a trusted Certificate Authority.”

Microsoft has a good reason for this. A “growing class of malware targets the boot path [and] often the only fix is to reinstall the operating system,” van der Hoeven said. “UEFI and secure boot harden the boot process [and] reduce the likelihood of bootkits, rootkits and ransomware.”

Importantly, though, Garrett writes that “there’s no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code.”

For many (and hopefully most) Windows 8 machines, this means that users have a good chance of successfully entering the UEFI settings interface to turn off secure boot. But this will depend on the hardware vendor.

“Experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market,” Garrett writes. “It's almost certainly the case that some systems will ship with the option of disabling this. Equally, it's almost certainly the case that some systems won't. It's probably not worth panicking yet. But it is worth being concerned.”

Technically, vendors can ship Windows 8 PCs without meeting Microsoft's "designed for Windows 8" logo requirements, but major OEMs typically would not do that.

The Windows 8 developer tablet Microsoft handed out at this month’s BUILD conference did include the ability to turn off the secure boot process. This is reminiscent of Google’s Cr-48 Chromebook, which allowed users to turn off the Verified Boot process and install another operating system, though this involved flipping a physical switch instead of changing a software setting.

A signed OS

Besides disabling the Windows 8 secure boot process, another option for Linux lovers is installing a signed version of Linux. But “this poses several problems,” Garrett notes. “Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by every OEM.”

Current machines dual-booting Windows 7 and Linux should be able to upgrade to Windows 8 without wiping out the Linux install. As Microsoft notes in the Building Windows 8 blog, “We will continue to support the legacy BIOS interface.” However, machines using UEFI instead of BIOS “will have significantly richer capabilities” including faster boot times and greater security.

Ultimately, the Windows 8 changes aren’t likely to wipe out Linux dual-boot scenarios, but they could restrict the types of hardware that will allow them. PC users who would boot two operating systems tend to be highly technical, though, so we expect they’ll find the necessary workarounds.

378 Reader Comments

I have tested this OS for 1 hour and I have got to say it is the worst. Apparently Microshaft doesn't agree with the file systems that Linux supports. I was dual booting Ubuntu with XP. Ubuntu was running great and so was XP, but the moment Windows developer preview came in, it completely thrashed my SATA drive. Boy was I in great disappointment. Although it is an OS made to be installed on tablet PC's I will never let this crapware enter my house again. Windows 7 is enough for me and will stay that way. /failclap to Microshaft.

You're *this* close to trolling with that bit of claptrap. I'd suggest caution. It's a pre-release OS meant for developers. It was not, in this early version, tested explicitly for multiboot install with a Linux system and a 10 year old OS.

Since Win8 will have Hyper-V, would a user have the option of installing Linux as a guest OS and booting it that way? Although, in my experience, MS's paravirtualized Linux drivers for Hyper-V are less than reliable.

If you are going to run a DIY OS you should build a DIY computer. I mean... you aren't going to get a $BrandName$ with Win 8 OEM preloaded just to wipe it and install Linux, will you? No. Get a gaming motherboard with no secure anything and run Linux.

Who was that "unimpressed" by an unreleased OS? Weren't you the one a few years back saying the same thing about Win 7 and vowing to stick with XP forever and ever? History always repeats itself with these things. People don't like change. Nerds don't like change even more.

I have several "ready made" machines that I have installed Linux on. These include laptops and low profile machines used as HTPCs.

Not every machine needs to be an 8 core monster with 10 hot swap drive bays.

I really dislike how people repeat the FSF GPL interpretation of the GPL as if *they* get to define what's a derivative work or redistribution (which seem the only way redistributing one GPL-licensed work may have influence over anything else you distribute).

It's not clear why someone providing a digital signature for something would count as redistributing the original or a derivative. A bunch of services generate and distribute "fingerprints" of audio files without it being considered distribution of the original work. A digital signature is, technically, just a fingerprint/hash of the content combined with the key in a verifiable way. It's so separable that a number of schemes, like PGP/MIME, attach the signature as a separate file to the content being signed. You can distribute the signature (that someone with key X verified content Y at time Z) independently of the content itself.

I see it working this way:(1) Company X distributes GPLv3 code to you.(2) Also, Company X (or Y) gives you a binary file that proves they verified an exact version of said code.

I don't see how the GPLv3 can stop part #2 from happening unless someone also needs permission from a record label to fingerprint MP3s someone buys from them. Please, anyone with better knowledge of how the GPLv3 can control this, please educate me.

I have tested this OS for 1 hour and I have got to say it is the worst. Apparently Microshaft doesn't agree with the file systems that Linux supports. I was dual booting Ubuntu with XP. Ubuntu was running great and so was XP, but the moment Windows developer preview came in, it completely thrashed my SATA drive. Boy was I in great disappointment. Although it is an OS made to be installed on tablet PC's I will never let this crapware enter my house again. Windows 7 is enough for me and will stay that way. /failclap to Microshaft.

You're *this* close to trolling with that bit of claptrap. I'd suggest caution. It's a pre-release OS meant for developers. It was not, in this early version, tested explicitly for multiboot install with a Linux system and a 10 year old OS.

If the shoe were on the other foot you would likely not cut Ubuntu any slack.

Linux users might still be able to dual boot in "legacy BIOS mode", but what is a bit more scary about this is that this sounds very much like "secure computing" concept. If OS is able to check that it is running on signed hardware, it will be possible to build a new generation of DRM, that will only allow to play content on signed hardware platforms. This gives copyright authorities a LOT of potential control over the media played on future computers.

Yes. Secure Computing aka TPM [Trusted Platform Module] is pretty much what anyone with an iPhone is used to - assuming it hasn't been "jail-broken".

Infineon provides as the vendor of TPM-Chips also a comprehensive software solution, which is delivered as OEM-Version with new computers as well as separately by Infineon for products with TPM technology which complies to the TCG-standards.

Wave Systems offers a broad range of Client- and Server-software, which runs on all TPM chip-sets. For instance, this software is pre-installed on several models from Dell and Gateway.

Microsofts operating systems Windows Vista and Windows 7 as well as Microsoft Windows Server starting from Windows Server 2008 use the chip in conjunction with the included disk encryption software named Bitlocker.

In 2006, with the introduction of the first Macintosh models with Intel processors, Apple started to ship Macs with TPMs. Apple never provided an official driver, but there was a port under GPL available.[12] In 2009, Apple stopped shipping TPMs.[citation needed]

But there are also hybrid types, e.g. where the TPM-Modul is integrated into the Ethernet-Chip as on (Broadcom) while the software which runs „on-top“ is based on Infineon.

Why exactly does Windows 8 need this signed-boot option to provide security when Linux, BSD, Mac and every other OS has provided better security without it?

Those OS's got around the problem by avoiding the dreaded "popularity" and "ubiquity" of Windows, so it not persued nearly as hard as an attack vector.

Any OS that uses a real-mode bootstrap process is vulnerable to unaproved code being injected and taking over, regardless of your religious concern about its inherent superiority.

It's not 1985 anymore. Most people don't boot off of random removable media any more. If your OS is rooted, then it got rooted through an entirely different attack vector. Trying to lock the barn door after the barn has burned down won't help a d*mn thing.

I see it working this way:(1) Company X distributes GPLv3 code to you.(2) Also, Company X (or Y) gives you a binary file that proves they verified an exact version of said code.

To provide a closer example, both Red Hat and Canonical digitally sign their RPMs and Debs. The fact that someone may build hardware that requires such signatures seems independent of their ability to create them.

If the shoe were on the other foot you would likely not cut Ubuntu any slack.

I've worked on enough OS's in my career to respect when a developer says they're at a very preliminary quality bar. If I have a problem with Ubuntu, it's that they've made their release cadence so quick that it has slipped their quality at times, and resulted in some very unimpressive releases for the sake of an entire upgrade.

How? If the GPLv3 is stopping Linux distros from taking advantage of hardware security, why is that Microsoft's fault?

The problem is that *any* OS that doesn't get the kernel signed with one of the certificates loaded into the UEFI won't run on the hardware. Compile your own linux\*BSD\*nix\*BeOS\school project and the hardware shuts it down.

Which means that hardware you own won't be able to run software you wrote.

Heck, if a new OS hits the market (Android for x86), if they don't get to use one of the pre-programmed certs you'd have to update the mobos firmware with the new certs. Which presumes the hardware supports adding new certs and that the mobo manufacturers release cert-update tools in a timely basis.

And *THAT* is what the EU is likely to get fussy about as it is a market lock-out.

The reason it is Microsoft's "fault" is that they are making this feature a requirement for the "made for Windows 8" badge, which is a) a selling point and b) may involve advertising dollars, meaning that MS could be seen as buying a physical monopoly. (duopoly?)

The answer is for the hardware manufacturers to include a bypass mechanism set through the UEFI setup or a mobo switch. Since there is a cost to the software/hardware, the concern is that manufacturers won't include that option.

It's not 1985 anymore. Most people don't boot off of random removable media any more. If your OS is rooted, then it got rooted through an entirely different attack vector. Trying to lock the barn door after the barn has burned down won't help a d*mn thing.

The only thing this does is makes it harder for alternate OS users.

It doesn't add a thing to "security".

Every OS has has had flaws that allow privledge execution, and will continue to do so for the foreseeable future, so pretending that the magic fix for this exists in other OS's is disingenuous at best.

I have a hard time believing you're suggesting a signed code path is useless...except if it's just that you don't like that MS is doing it. UEFI has this as part of the standard, all Microsoft has said is that it's required to get a logo from them. Making this into a tech religious issue does not address the technical benefits in any way.

Though annoying, this doesn't sound like it'll be much of a problem for most users given the existence of Virtualbox et al.

Sure, instead of being able to just boot into an OS of my choosing, I should be locked into Windows and have it running in the background 24/7 while my OS of choice gets to hop through virtualization latencies. That's totally reasonable.

It's not clear why someone providing a digital signature for something would count as redistributing the original or a derivative.

I think you're confusing things. The issue with the GPLv3 here is that you can't use GPLv3 licensed software within a system that enforces code signing without giving the recipient the keys used to sign it (or providing a means for the user to do so with their own keys, I am not certain on this bit.) It's to avoid TiVOization, and a direct reaction to initiatives like this.

Why exactly does Windows 8 need this signed-boot option to provide security when Linux, BSD, Mac and every other OS has provided better security without it?

Those OS's got around the problem by avoiding the dreaded "popularity" and "ubiquity" of Windows, so it not persued nearly as hard as an attack vector.

Any OS that uses a real-mode bootstrap process is vulnerable to unaproved code being injected and taking over, regardless of your religious concern about its inherent superiority.

It's not 1985 anymore. Most people don't boot off of random removable media any more. If your OS is rooted, then it got rooted through an entirely different attack vector. Trying to lock the barn door after the barn has burned down won't help a d*mn thing.

The only thing this does is makes it harder for alternate OS users.

It doesn't add a thing to "security".

People boot with removable media installed all the time, regardless of whether they know it's "bootable" or not.

++Someone dual booting will be perfectly capable of flipping a switch in their BIOS, and doing a little research before they buy a machine to make sure the switch is there.

Assuming you can even find the switch, and that it even has one. I mean, you can defend MS all you want but they have a history of anti-competitive behavior and I expect them to throw their weight around to the detriment of everyone else.

Quote:

Besides, in 2011, why dual boot when you can just run the less used OS as a VM?

Right, because no one ever uses a computer without using Windows. No Linux install exists without an adjacent Windows partition.

How is UEFI and secure boot a boon for the end user? Previously, malware would generally run in the background and allow use of the compromised PC(for better or worse.) Now the machine will be unusable by design when infected. This should drive the PC market though, good for Microsoft.What is to stop a certificate from being compromised, and a malware maker from signing their malware?

Linux users might still be able to dual boot in "legacy BIOS mode", but what is a bit more scary about this is that this sounds very much like "secure computing" concept. If OS is able to check that it is running on signed hardware, it will be possible to build a new generation of DRM, that will only allow to play content on signed hardware platforms. This gives copyright authorities a LOT of potential control over the media played on future computers.

I think the term you had in mind was "trusted computing". And the big question mark related to that is "trusted by who?". This because it is not the user that is supposed to be able to trust the computer, but third parties like big media.

And Microsoft have been toying with this since at least Vista. First they called it Palladium, then it become Next-Generation Secure Computing Platform. At the time it required a special module on the motherboard. Now it seems they have managed to "sneak" it into the bootstrap firmware.

It's not clear why someone providing a digital signature for something would count as redistributing the original or a derivative.

I think you're confusing things. The issue with the GPLv3 here is that you can't use GPLv3 licensed software within a system that enforces code signing without giving the recipient the keys used to sign it (or providing a means for the user to do so with their own keys, I am not certain on this bit.) It's to avoid TiVOization, and a direct reaction to initiatives like this.

You're making a mistake equating the rules the GPL imposes on redistributors with rules on *users*. If TiVo builds a device requiring signed code *and* distributes modified GPLv3 code with the device, they may have a problem because they're subjecting themselves to the GPL's requirements for redistributors.

If *I* buy a computer requiring a signed bootloader and install an OS with a compatible, signed, GPLv3 bootloader on it, I'm not redistributing the code. I don't have to agree to the GPL *at all*; the GPL is not a EULA. Moreover, the company that distributed the signed OS to me didn't build the system requiring the signed bootloader, so I don't see how they would be affected, either.

Enterprise? Less technical users can be secured against any unauthorized system modification.Individuals? Same thing.

I wouldn't mind it, except that plans like this almost always stick every consumer in the "ignorant moron" bucket like Apple does and explicitly provide no way out.

Quote:

What is to stop a certificate from being compromised, and a malware maker from signing their malware?

Nothing, as we've seen. This is not about security, but about interfering with competitors and DRM.

davidstrauss wrote:

You're making a mistake equating the rules the GPL imposes on redistributors with rules on *users*. If TiVo builds a device requiring signed code *and* distributes modified GPLv3 code with the device, they may have a problem because they're subjecting themselves to the GPL's requirements for redistributors.

Correct.

Quote:

If *I* buy a computer requiring a signed bootloader and install an OS with a compatible, signed, GPLv3 bootloader on it, I'm not redistributing the code.

Correct, however the vendor that you got the GPLv3 bootloader would need to give you the key used to sign the bootloader. They may not have implemented the system, but they are certainly complicit if their key is present on the device.

Assuming you can even find the switch, and that it even has one. I mean, you can defend MS all you want but they have a history of anti-competitive behavior and I expect them to throw their weight around to the detriment of everyone else.

This isn't an anti-competitive move, no matter how much you might argue otherwise. As I mentioned before, there will be plenty of hardware Linux will be able to use, and non-OEMs are pretty-much guaranteed to give that user and option. Hell, OEMs might as well, depending on where their boards are sourced. MS doesn't care about Linux on the desktop enough to worry about boot options like this. It is exactly what it says. Securing the boot path. I've had to clean enough nasty stuff off of other people's computers to appreciate that.

How? If the GPLv3 is stopping Linux distros from taking advantage of hardware security, why is that Microsoft's fault?

Its not the GPL thats going to upset Europe.

If PCs are being build requring signing, and MS is using its market dominance to push this, its adding a new barrier to potential entrants (That barrier being digital signing), which could potentially be misuse of market power.

How? If the GPLv3 is stopping Linux distros from taking advantage of hardware security, why is that Microsoft's fault?

The EU demanded that Microsoft support interoperability with other products. Requiring hardware manufacturers to support a feature that all but blocks other OSes could be seen as illegal anti-competitive behavior. The EU has already fined Microsoft twice for lesser behavior.

I know Macs use EFI, but do they use UEFI? Will this block Windows installs via Bootcamp on Apple hardware?

And I'm skeptical that Windows 8 will install on existing Windows 7/Linux dual-boots, because Windows 7 SP1 refuses to install on dual-boots currently.

Even if you assume that most geek/OS-enthusiasts will build their own computer just because they use Linux, that isn't the case. Linus himself is known to purchase Apple hardware and install Linux on top of it.

And this restriction would limit new users from trying and discovering Linux if they have OEM hardware.

This isn't an anti-competitive move, no matter how much you might argue otherwise. As I mentioned before, there will be plenty of hardware Linux will be able to use, and non-OEMs are pretty-much guaranteed to give that user and option.

Maybe. We don't know yet. But as hard as you fight to defend them, Microsoft has a known history. Consider that in your arguments.

Quote:

MS doesn't care about Linux on the desktop enough to worry about boot options like this. It is exactly what it says. Securing the boot path. I've had to clean enough nasty stuff off of other people's computers to appreciate that.

MS definitely cares. They hate Linux. They'd love to see it, the GPL, and everything it covers burned and buried. And I have see nothing in the last 10 years that indicates their position has changed.

How? If the GPLv3 is stopping Linux distros from taking advantage of hardware security, why is that Microsoft's fault?

The EU demanded that Microsoft support interoperability with other products. Requiring hardware manufacturers to support a feature that all but blocks other OSes could be seen as illegal anti-competitive behavior. The EU has already fined Microsoft twice for lesser behavior.

I know Macs use EFI, but do they use UEFI? Will this block Windows installs via Bootcamp on Apple hardware?

And I'm skeptical that Windows 8 will install on existing Windows 7/Linux dual-boots, because Windows 7 SP1 refuses to install on dual-boots currently.

Again how? The article already states that Windows 8 PCs can be shipped on computers that don't meet the "Designed for Windows 8" requirements. UEFI is not a required layer for all Windows 8 PCs. And today, Windows 8 is already able to be installed via Boot Camp.

My father is an automation engineer and he got a virus on his system recently. As stated in the article, the only fix was to reinstall the operating system.

Likely he could have slaved out the hard drive and cleaned the infection from another machine, or just booted to a Tools CD with anti-virus, or booted to a Linux live CD.

In my lifetime of fixing computers for friends, family and at work, I've never once come across an infection I could not clean.

Microsoft could have approached this problem by sandboxing the boot loader and forbidding anything from writing to it while Windows is running. They opted for another solution that restricts you from running other operating systems.